Free Anti-Virus Tips
and Techniques

Common Sense Methods to Protect
Yourself from Macro Viruses

By Chengi Jimmy Kuo
Senior Fellow, NAI Labs

Director Anti-Virus Research,

Anti-Virus Emergency Response Team (AVERT)

WHITE PAPER

1

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

Table of Contents

Introduction .................................................................................................................. 2

Early Anti-Virus Suggestions from Microsoft ..............................................................3

Microsoft Word Macro Viruses .................................................................................... 5

Excel Macro Viruses .....................................................................................................18

PowerPoint Macro Viruses ..........................................................................................19

Office 2000 Viruses ......................................................................................................20

Script Viruses................................................................................................................21

Additional Tips.............................................................................................................22

Author’s Conclusions ...................................................................................................23

Acknowledgments ........................................................................................................24

The information in this white paper has been provided by Network Associates, Inc. To the best knowledge of
Network Associates, Inc., these companies offer the types of products described. These companies are solely
responsible for their software, distribution, and support services. Network Associates, Inc. disclaims any and all
liabilities for and makes no warranties, expressed or implied, with respect to these products, including, without
limitation, the implied warranties of merchantability and fitness for a particular purpose. Distribution of these
products, or information concerning these products, does not constitute Network Associates, Inc. endorsement of the
products, the companies, or support services. Product information is subject to change without notice.

Introduction

In the summer of 1995, the Word Concept virus was unleashed upon an unsuspecting

world, changing the scope of the virus problem forever. For the first time, viruses could reside in

common word processing and spreadsheet documents. Since that time, Word and Excel macro

viruses have become the most dominant virus threat to organizations and individuals alike,

appearing at a rate of over 200 new viruses per month.

“In 1999 alone, $7.6 billion in damage was

done by viruses, many of them macro viruses affecting Word and Excel environments.”

Network Associates offers a comprehensive solution for all existing and new macro

viruses in its McAfee Total Virus Defense suite scanning engine. Part of any good virus

security policy, however, involves things you can do at no cost to reduce your exposure to

macro viruses.

The objective of this paper is to introduce a variety of free macro anti-virus techniques

and discuss the pros and cons of each. This paper concludes with the author discussing several

methods he personally uses to protect himself against macro viruses in his day-to-day work.

N E T W O R K A S S O C I A T E S

2

A U T H O R P R O F I L E

Chengi Jimmy Kuo is a well-

known anti-virus researcher,

specializing in how viruses affect

the common user and how best

to protect users' data. He is the

author of numerous technical

papers which have been

independently translated into

several languages, and he has

appeared on TV and in

newspapers worldwide thanks to

his virus expertise. Kuo holds a

Bachelor of Science degree in

Engineering and Applied Sciences

from the California Institute of

Technology, and his previous

areas of research include IBM

PS/2 BIOS (his initials can be

found in the some models of

BIOS chips), AIX-UNIX

development, and natural

language processing. Kuo

presently serves as Director of

Anti-Virus Research for the

Network Associates Anti-Virus

Emergency Response Team

(AVERT), and holds a Senior

Fellow position at NAI Labs, a

Network Associates advanced

research facility.

3

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

Introduction to Macro Viruses

Macro viruses take advantage of “macro” utility tools built into programs such as

Microsoft Word and Excel. By riding on data files exchanged through the application, macro

viruses infect great numbers of documents. While macro viruses are application-specific, they

are not operating system dependent, which means they can quickly travel in e-mail,

downloads, floppies and groupware applications.

Macro viruses can exist in any number of products that give a user the ability to write

macro scripts that can, in turn, write to the disk to propagate more macros. Because of its

widespread usage, the product with the most macro viruses today is Microsoft Word. Viruses

spread easiest in the MS Word environment because documents can contain both text and

macros. By combining both text and macros, the user has much more power and usability

features. The two go hand in hand. More power to the user. More potential for macro viruses.

Microsoft Excel is similarly afflicted. Excel macro viruses began appearing some time

after the original Word macro virus, but are being discovered at an alarming rate today. The

same dynamics that affect Word also affect Excel. Excel also uses OLE2 container files,

combining macros and all of the cell functions and data in the same file.

When Microsoft Office 97 was released, all macro languages converged upon Visual

Basic 5 (VB5), making cross-application viruses a theoretical possibility. This makes the

possibility of macro viruses for other platforms only a matter of time, especially as more and

more vendors independently support VB5.

Viruses are defined by their ability to spread. A Word macro virus spreads easiest when

it intercepts the macro execution path by making use of one or more of Word's AUTO

macros, or by using a menu replacement. Then it places itself into the global environment by,

for instance, updating the normal.dot file. Most of the approaches below target that scenario.

Early Anti-Virus Suggestions from Microsoft

After the Concept. A virus first appeared in mid-1995, Microsoft responded promptly

with several suggestions to help reduce the risk of infection. Although these early attempts

proved ineffective once the scope of the macro virus problem became apparent, they do provide

an interesting insight into Microsoft's initial attempts to solve the Concept. A problem.

Create a Payload Macro

One early suggestion supplied by Microsoft was to create a Payload macro to counteract

the effects of Concept.A. While potentially effective against Concept.A, this method would

have no effect on any of the thousands of other macro viruses in existence. With thousands of

macro viruses in circulation today, Microsoft no longer recommends this approach.

PROS:

Early solution that protected against Concept.A

CONS:

No protection against other viruses

ScanProt

ScanProt is a macro package written by Microsoft. Its original intention was to protect

against Concept.A and to provide a mechanism for users to be alerted if any incoming

document contained macros. One unintended side effect of the original ScanProt

workaround was the fact that various ScanProt macros were actually absorbed into spreading

viruses. This caused a "mating" scenario between an existing virus and ScanProt, producing a

new virus variant. The positive benefits of this approach, however, have since been

incorporated directly into Word 7.0a and Word 97.

Another action undertaken by ScanProt is to rename macros associated with known

viruses to alternative names. Although this approach makes some known viruses non-

functional, it also makes them irremovable by some anti-virus products. With more than 200

new macro viruses appearing each month, it is also an ineffective method of maintaining

ongoing virus security.

PROS:

Early solution that protected against Concept.A

Alerts if any macros exist in document (now a feature of Word 7.0a and 97)

CONS:

ScanProt macros can be absorbed and spread as part of new viruses

Prompt to Save Normal Template

This is an option available from within Word. Microsoft made this option the first

macro virus prevention method when it suggested its use against Concept.A. To activate the

N E T W O R K A S S O C I A T E S

4

5

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

option, simply click on Tools and Options..., then choose the Save tab. From this menu, check

the Prompt to Save Normal Template option.

As noted above, viruses spread by definition. This is most easily accomplished by getting

into the global environment. The global environment is represented by the file normal.dot. If

a virus attempts to alter normal.dot and this option is in use, Word will inform you that there

is a request to change the Normal Template as you attempt to exit. At this time, you can

respond that you do not wish to allow such a change. Presumably, the user would know of

any intentional changes. An unexpected attempt to modify this file could, therefore, indicate a

virus attack in progress.

Even with this option in use, however, it is possible to open an infected file and infect

the environment. The warning does not occur until exit from Word. Thus any documents

opened and saved after the initial infected document will also be infected. Furthermore, many

of today's most prevalent macro viruses are aware of this attempt, and can easily deactivate

this feature themselves, rendering it largely ineffective.

PROS:

Easy to set
Commands required to set this feature can be automated
Reduced risk from early macro viruses like Concept.A, Wazzu.A, and NPad

CONS:

Easy for a "smart" virus to deactivate
Does not inform until AFTER infection when user exits Word

Microsoft Word Macro Viruses

The Shift Key

Most macro viruses make use of Word's AutoOpen and AutoClose macros to operate.

Disabling these built-in macros can be an effective way of stopping such macro viruses from

spreading. Holding down the shift key during the startup of Word allows for a file to be

opened without allowing any Auto macros to execute. This will prevent viruses that use the

AutoOpen macro in order to spread. Similarly, if held down at exit, the AutoClose macro will

not be executed.

In order to correctly make use of this feature, one must be holding down either shift key

at the moment Word is activated, and continue holding throughout the startup process. To be

sure this occurs, you should hold the key down with one hand while the other hand is

double-clicking the Word icon. It might seem obvious, but it is not always easy to do, even if

you remember. The shift key must be held down for the duration of Word's startup process.

Letting go early may allow a macro to execute.

Holding down the shift key

during the startup of Word

allows for a file to be opened

without allowing any Auto

macros to execute.

N E T W O R K A S S O C I A T E S

6

PROS:

Effective against the AutoOpen and AutoClose macros

CONS:

Easy to forget or perform incorrectly
If done incorrectly, you will not know until it is too late
Viruses that do not use AutoOpen or AutoClose will still infect

DisableAutoMacros

DisableAutoMacros is a Word macro function does exactly what the name implies. If

the function is activated, no auto functions will execute automatically until the function is

turned off (or until the next Word session). Removing the ability to automatically execute the

auto functions limits those viruses from easily infecting your system.

Ironically, the best way to invoke this function is through an AutoExec macro. However,

in the following instructions, the end result will be an AutoExec function in its own template

file, not in the normal.dot file. I recommend the template file be placed in the default startup

directory in order to keep the normal.dot file pristine. And, in this manner, it is easier to give

the file to others and harder for viruses to find and remove.

Start by making sure your normal.dot is writeable, and empty...

Click on Tools, Macros...
In the Macro Name: box, Enter autoexec
Click on Create.

Edit the macro to insert the DisableAutoMacros command:

Sub MAIN
DisableAutoMacros 1
End Sub

Close the editing session. Exit and save all changes.

In the DOS environment:

copy \msoffice\templates\normal.dot \msoffice\winword\startup\noauto.dot
erase \msoffice\templates\normal.dot

PROS:

Disables all Auto macros
Greatly reduces chance of infection

CONS:

Not foolproof
Does not disable other intercepted macros, key shortcuts, etc.
Environment is no longer pristine. May lead others to believe the macro you
have established is suspicious and cause technical support issues.

7

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

Prompt to Save Normal Template in noauto.dot

In creating noauto.dot in the above process, it is beneficial to also include the command

which turns on the Prompt to Save Normal Template choice. This can be accomplished by

using the following macro in place of the above:

Sub MAIN
DisableAutoMacros 1
ToolsOptionsSave .GlobalDotPrompt = 1
End Sub

Or for Word 97:

Public Sub MAIN()

WordBasic.DisableAutoMacros 1
WordBasic.ToolsOptionsSave GlobalDotPrompt:=1

End Sub

This insures that the option is set every time, should normal.dot be deleted, or

something resets the option. This also allows the network administrator to distribute one file

which enforces two of the ideas instead of just one.

Menu Choices within Word

Macros are separate from the text and are not seen unless one goes looking for them.

The most common way to check for macros would be through Tools then Macro...

Unfortunately, viruses can intercept menu items. And the most commonly intercepted

function is... Tools/Macro. This makes it unwise in a suspect situation to use Tools/Macro to

determine if macros exist in documents. In the Customized Tools/Macro section below, you

will be shown how to create your own replacement to Tools/Macro.

It is safe, however, for you to view macros in document files through the use of the

Organizer function. The organizer function can be achieved through either

File/Templates/Organizer... or Format/Styles/Organizer... or by creating your own following

the instructions in the Customized Tools/Macro section below.

To see if macros exist in a document file without being affected by them, exit and restart

Word without opening any documents. If you suspect that the normal.dot file or the startup

environment may be infected, you need to rename the file and rename all the document files

in the startup directory to other than DOC or DOT so Word can be started in a pristine state.

To ensure that no virus affects your viewing of a suspect file, one must ensure that Word is

started in a pristine state by following the previous directions.

Upon starting Word, get to the organizer via one of the previously mentioned methods.

Choose the Macros tab. On the left half of the box is a button labeled Close File. Click that

To see if macros exist in a

document file without being

affected by them, exit and

restart Word without opening

any documents.

8

N E T W O R K A S S O C I A T E S

button to change the label to Open File... Click on Open File... to get a Browse box. Choose

the target file to investigate. (By default, Word lists the .dot files. If the file you wish to

investigate is not so named, you should change the Files of Type: drop-down box to All Files.)

The filename will be shown. If any macros exist in the file, they will be listed in the big box. If

not, normal.dot will show up again with its macros. Practice on a file that you know has

macros in it.

PROS:

Safely determines if any macros exist in the target file

CONS:

Difficult to tell whether macros contain a virus

Complex set of tasks

Customized Tools/Macro

Because default menu items are often targeted and intercepted by macro viruses, it is

important to know how to create menu items which will have the same functionality as those

which would be intercepted. Following are instructions to create an equivalent to

Tools/Macros...

Make sure the normal.dot is writeable…

Click on Tools, Customize...
Choose the Menus tab
Under Categories click on Tools
Under Commands click on ListMacros
For Position on menu: choose (At bottom)
Click on Rename.

Close the editing session. Exit and save all changes.

In DOS, remember to make normal.dot read-only again.

Following this, you will have an additional choice under Tools to list the macros in your document.

PROS:

Bypasses the need to use Tools/Macro...

Not subject to virus payloads tied to Tools/Macro

CONS:

Works until viruses start to interept Tools/ListMacros

Requires creation of customized menus to regain use of lost menu features

Word 7.0a and Word97

In Word 7.0a (available for Windows 95) and in Word97, a new check box was dded to

Tools/Options.../General. This check box allows the user to be alerted if any macros exist in a

document which is about to be opened. If such a document is encountered, the user is given

the choice of stopping, continuing unaltered, or continuing with the macros disabled.

9

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

If the user chooses to continue with the macros disabled, the file is opened in a read-

only state and cannot be changed. If you do not normally make use of macros, it may be wise

to have the features activated by default.

Although simple to activate, some of the usability touches added to this feature create

exceptions that are not readily apparent. These conditions have previously been documented

by Vesselin Bontchev and revolve around certain conditions where Microsoft would expect

macros to appear. Thus if those macros turn out to be viral, the initial warning will not alert

because the macros were expected to be there.

PROS:

Generally effective. If there's a macro in the document, it tells you so.

CONS:

Prevents editing of any document with normal healthy macros
Can be defeated by viruses that fall under Word's exceptions list

Read-Only Recommended for Normal.dot

Word also allows for its own enforcement of normal.dot as a read-only file. Therefore,

even if the file is not read-only, Word can still open it as if it were.

The downside to using this option is that each time you start Word, it will ask you if

you wish to open the file as read-only. This can become bothersome and lead users to turn it

off quickly. Of the techniques described in this paper, this is the most bothersome as it will

interfere with a message even in a clean environment.

To set up this option:

Start a Word session and explicitly open the normal.dot file. (\MsOffice\Templates)
Click on Tools, Options…
Choose the Save tab. See instructions Prompt to Save Normal Template section
At the lower left under File-Sharing Options for normal.dot, check Read-Only Recommended
Close the editing session. Exit and save all changes.

PROS:

Allows flexibility for those who want their normal.dot to be read-only occasionally

CONS:

Asserts messages to you each time you start Word

Password Protect Normal.dot

Yet another offering under the Save tab of Tools, Options..., adjacent to Read-Only Recom-

mended, is Write-Reservation Password (For Word97: Password to modify). If this choice is invoked,

each time Word is started, the user will be asked to enter the password or open the file as read-only.

The advantage of this is that only select people will be allowed to modify normal.dot,

and only if that person knows beforehand that he/she wishes to change it.

N E T W O R K A S S O C I A T E S

10

The disadvantage is that only select people can clean up such an infection. And on those

occasions when normal.dot is allowed to be infected, no warning is given that it has been infected.

To set up this option:

Start a Word session and explicitly open the normal.dot file. (\MsOffice\Templates)
Click on Tools, Options...
Choose the Save tab. The instructions are the same as above.
At the lower left under File-Sharing Options for normal.dot, type a password into the Write-
Reservation Password box. You will then be asked to confirm the password.
Close the editing session. Exit and save all changes.

PROS:

Allows flexibility for those who occasionally want their normal.dot to be read-only

CONS:

Asserts messages to you each time you start Word
Only that same select few can clean up the global infection

Word97 Lock VB Project for Normal.dot

As a user of Word97, there is yet another method to make normal.dot a write-protected

document. This feature prevents modules from being created, viewed, or copied into the

Template Project. Macro viruses, which would be Visual Basic modules, would fall into that

class.

However, font selections, AutoText, and other stylistic choices and settings do not. Thus

a user could change certain default choices in normal.dot without having to overcome

protections, and also not allow the standard macro virus to infect.

To set this up, make sure the normal.dot is writeable:

Start a Word97 session
Press ALT-F11 to open the VB-Editor
Click on View, Project Explorer to activate
Mark Normal in the Project Explorer.
Click on Tools, Normal Properties...
Choose the Protection tab
Check Lock project for viewing and set a password
Click on File, Save Normal
Close the editing session

PROS:

Virus cannot bypass this unless it happens to guess your password
Users needing to change Autotext and Toolbars won't be affected

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

Using RTF (Rich Text Format) Files

The previous suggestions are mostly concerned with how to detect viruses. This section

addresses how to avoid sending out an infected document, and in so doing, possibly protect

your organization from being infected.

There is a rumor that says .RTF files cannot have macro viruses. First, let us specifically

define what that means:

When using the File/SaveAs... function, there is a box that allows you to choose what

type file you wish to save this file as (Save as type:). When one chooses Rich Text Format, the

document is saved without macros. However, this does not apply to embedded documents.

Even though the top level may not contain macros, embedded documents may. But most

people do not use embedded documents, and this is one reason why they should not. Abiding

by the rule that if a file does not have macros, it cannot have macro viruses, this then

becomes a rather useful way to distribute one's finished work.

But just because a file has a .RTF extension does not mean that it is a Rich Text Format

file. First, any file can have any name you designate. But mostly, WM/CAP, one of the most

prevalent Word macro viruses, actually takes over the File/SaveAs... operation specifically to

fool a user who tries to take advantage of this fact.

In light of all that, I suggest the following. When finished with your work and about to

distribute it:

SaveAs... the document as temp.doc (keep the same type as the original document).
SaveAs... this temp.doc file as final.rtf (change the type to Rich Text Format).

After completely exiting Word, notice that temp.doc is smaller than the original

document. This is because we asked Word to save the file afresh. In doing so, the process

cleans up the unused or deleted sectors from the OLE2 file and rewrites the document into a

fresh new file. This results use as small a file as possible to house all the information in the

document.

Following that, we saved the file again as a Rich Text Format file. So, from "the smallest

file as possible," anything having to do with macros is removed. This results in an even

smaller file, even if there are no macros.

So, given that final.rtf is smaller than temp.doc, you can be reasonably assured that

final.rtf will not be an infected document. (And you may want to replace your original

document with temp.doc, as the new one is smaller.)

11

N E T W O R K A S S O C I A T E S

12

PRO:

For distribution, the smallest possible file is sent
Your friends are not infected by your documents
You and your company are not embarrassed
You get in the practice of distributing only RTF files, a good habit to have

CON:

It is a few extra steps
May not be perfect

Methods Related to the Operating System

Read-Only Normal.dot

Probably the most effective free macro virus protection method is to change the

attribute of normal.dot to read-only. As it is so easy to do and quite effective, it is also the

most talked about method on the Internet.

DOS has the concept of attribute bits. The most commonly referenced are the System,

Read-Only (RO), Hidden, and Archive bits. The specific attribute bit which interests us is the

Read-Only bit. If the RO bit is set, normal DOS system calls will refuse to write or change the

file. Thus, in theory, if the normal.dot file is RO, no virus will be able to change it.

As noted before, a virus generally wants to change the global environment. This

generally causes the normal.dot to be rewritten. However, if the RO bit is set, when Word

opens normal.dot, it recognizes and stores this fact. When Word exits, it remembers

normal.dot was RO and refuses any attempt to change it.

Anyone who uses macros would be severely limited by this approach, however, as it

would require constantly modifying the read-only status. A user of macros can still operate

with a RO normal.dot, however, if he/she stores all files in the default startup directory.

Macros would be handled in the way we described in the noauto.dot section above.

Second, and a very important note, is that one doesn't realize a virus is active until

AFTER exiting Word. The significant technical note is to recognize that Word informs you of

the attempt to write to normal.dot when it exits. So, throughout the time you are using Word,

files will continue to be infected without warning. Only on exit do you realize that something

bad has been happening throughout the day.

At that point, of course, you can immediately shift into "virus forensics" mode.

Forensics needs as much historical information as it can muster. To facilitate this, we would

want to make use of the Most Recently Used (MRU) list. By default, Word's MRU list is set to

remember the last four files opened by the user. These are going to be the files of interest

anyway. The files saved on that day are the ones to be chased down if any of them had been

sent to anyone.

Probably the most effective free

macro virus protection method is

to change the attribute of

normal.dot to read-only.

13

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

With a default of only four, you would most likely need to increase the length of the

MRU list to the maximum number of files you might expect to use during the average day. To

do so, choose Tools then Options… then General. Go to the Recently Used File List and

increase the number to its maximum.

PROS:

System level protection
Slows down viral spread
Will know of an infection by the end of the day
Viruses cannot circumvent this to infect normal.dot in the same session

CONS:

If user must constantly update his macros, productivity would be hindered
Could require significant backtracking if virus is discovered
May create false sense of security

Word Viewer

One of the most common infection scenarios involves receiving a document through e-

mail, double-clicking on it, and having Word automatically open the document. This is

governed by one of two setups. It will be either the e-mail program itself being programmed

to activate Word based on whatever criteria it uses, or it will be based on the e-mail program

making use of the registry.

In this section, we will cover the steps necessary to change the default association of

.DOC and .DOT files to Word. This affects such activities as double-clicking, drag-and-drop,

and Explorer.

The title of this section is Word Viewer because instead of using Word to read .DOC

files, another program is used instead, one which does not support macros. WordView or

WordPad are such programs. WordPad supports no macros. WordView has restricted support

of macros. This section covers the necessary steps to redirect the registry associations of

.DOC and .DOT from Word to WordPad or WordView.

Find WordPad.EXE (or WordView.EXE) on your system
Note the full pathname for the file
Find REGEDIT.EXE or REGEDT32.EXE on your system and execute
Under HKEY_CLASSES_ROOT, locate .doc and .dot
Traverse the structure until you locate Shell then command
Change the associated command to the full pathname of WordPad.EXE

HKEY_CLASSES_ROOT
.doc

Word.Document.6

Word.Document.6

shell

open

command

C:\Program Files\Windows NT\Accessories\WordPad.exe "%1"

N E T W O R K A S S O C I A T E S

14

NOTE: All the commands have to be changed: Open, New, etc.

PROS:

Does not allow macros of any kind to execute

CONS:

Limited word processing capabilities
Avoid macros, but doesn't tell you they are there
Some e-mail programs disregard the registry

If you do not have a viewer, one can be retrieved, free, from:

http://www.microsoft.com/msword/internet/viewer/viewer97/license.htm

Replace Normal.dot Every Time

In normal DOS usage, there is the regular suggestion to boot clean before running anti-

virus programs. While there is no need to enforce a clean Word environment before running

anti-virus programs, it is still worthwhile to know that one's environment is clean before each

new day's use.

One way this is accomplished is to delete and replace one's normal.dot file each day. We

use autoexec.bat to force this each time the machine is booted. Of course this effectively

makes normal.dot a poor mechanism to hold changes. If changes are not moved to the

archived copy, they are lost. This method also does not inform the user of an infection. The

infection is simply destroyed. Since that's the normal course, I've added the read-only

attribute to the file.

To set this up, do the following:

cd \msoffice\templates
md archive
copy normal.dot archive\normal.goo

(Goo is short for "good" and presumably won't conflict with any other extensions in use.)

attrib +r archive\normal.goo

Add the following to autoexec.bat:

pushd \msoffice\templates
erase /f normal.dot
copy archive\normal.goo normal.dot
attrib +r normal.dot
popd

(If you do not have pushd/popd, use full directory pathnames)
endbat (transition to empty endbat.bat file, see endbat.bat section below)

PROS:

Boots Word clean every day

CONS:

Hassle to change any macros
Doesn't tell you if anything happened

15

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

Check For Changes to Normal.dot

Another way to ensure a clean startup of Word, instead of forcing it to be replaced with

a new version each day, is to check the present version against the known clean one which

had been archived. This method differentiates from the previous one in its ability to alert the

user of changes having occurred. To achieve this, we have to save a copy of the current

(hopefully clean) normal.dot file.

The setup:

cd \msoffice\templates
md archive
copy normal.dot archive\normal.goo
attrib +r archive\normal.goo

Add the following to autoexec.bat:

diff \msoffice\templates\archive\normal.goo \msoffice\templates\normal.dot > NUL
(Diff is a program similar to fc (from DOS). Fc does not return the necessary errorlevel for use
in this manner. Ask local gurus for a copy of diff, they’re sure to have one.);
if errorlevel 1 goto changed
[continue]
goto end

:changed
echo normal.dot changed^G
The "^G" represents a CTRL-G, which is "hold down the Ctrl key, and press G." It causes a

beep.
pause
:end
endbat

PROS:

Informs of any change
Ensures clean normal.dot each day
Generally transparent

CONS:

Not effective until next bootup
Requires expert to setup
Requires expert to understand use

Check the Startup Directory

In the DisableAutoMacros section above, after creating noauto.dot, it was suggested that

the file be placed in Word's Startup directory. Any template file stored in this directory is

automatically installed into Word's environment when Word starts up. That also makes this

directory the target of viral attacks as any virus could add itself to an environment by

dumping a template file in this directory. Therefore, it is important to keep an eye on the

N E T W O R K A S S O C I A T E S

16

directory to make sure the contents of the directory do not change.

To make sure no viruses are added to the directory, we need to store a listing of the

directory from a known clean state. Then, each time the machine is started, we make use of

autoexec.bat to check that the current contents of the directory is not different from the list

which represents what it should be. The code needed to make this happen can be seen below.

To set up:

Start Word and locate the default Startup directory
Click on Tools
Go to Options…
Choose the File Locations tab
Look for the entry related to Startup
(If there are three dots in the directory name, double click on the entry to see the full
directory name. Write down this directory name. Below, the code example uses
\msoffice\Winword\Startup as that directory.)
Cancel, etc. and exit from Word

In DOS, continue by executing the following instruction:

dir /b /a \msoffice\Winword\Startup > %TEMP%\startup.lst

This dir command creates the list which lists the current contents of the Startup

directory and stores this list in your defined "temporary" directory. If you have an older

version of DOS, it may not have some of the parameters that are used.

To explain the instruction:

/b creates the short form of this command
/a includes hidden files so virus writers cannot use that to hide
%TEMP% is replaced by DOS with the defined "temp" directory
Add the following to autoexec.bat:
dir /b /a \msoffice\Winword\Startup > %TEMP%\startup.chk
diff %TEMP%\startup.lst %TEMP%\startup.chk > NUL
if errorlevel 1 goto diff_startup
[continue]
goto end
:diff_startup
echo Word startup directory changed^G
pause
:end
endbat

17

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

PROS:

Informs of any change
Ensures clean boot up each day
Generally transparent

CONS:

No warning until next boot up
Requires expert to setup
Requires expert to understand use

Using endbat.bat

In the battle against macro viruses, it is important to know that many macro viruses

have payloads which attach extra code to the autoexec.bat file. When this happens, the next

time the machine is started, the code added by the macro virus will execute. Thus, it is

important to come up with a method which prevents such payloads from taking effect.

With batch files, there are two different ways to transfer control to another batch file.

One method is to "call" the second batch file. In this way, after the completion of the second

batch file, control is returned to the "caller." The second method transfers control directly to

another batch file. This method does not return control upon completion of the second batch

file.

First, we create an empty batch file called endbat.bat. In the autoexec.bat, instead of

letting it end by executing the last instruction, we transfer control to endbat, which finishes

the startup process. With this setup, any code that is added by a macro virus to the end of

autoexec.bat never gains control. Thus, none of that code runs. This same setup will cause

software installations which add to the end of autoexec.bat to also fail in the same way. In

such situations, simply remove the endbat transfer and replace it at the end of autoexec.bat

again.

PROS:

Endbat.bat immunizes against the effect of viruses

CONS:

May interfere with software installations that write to autoexec.bat

Rename debug.com and debug.exe

Another favored method by virus writers to deposit payloads onto users' machines is by

way of a debug script. (A debug script is readable text instructions sent to the DOS utility

named debug to create a binary file.) Usually, this is used to deliver virus programs or other

binary data. To combat this, one can rename or remove debug from users that don't normally

have need for that program.

Verify that the program is no longer available by typing "debug" on a command line. If

the program still runs, the job is not yet complete.

In the battle against macro

viruses, it is important to know

that many macro viruses have

payloads which attach extra

code to the autoexec.bat file.

N E T W O R K A S S O C I A T E S

18

PROS:

Eliminates effect of virus payloads that use debug to plant such onto machines

CONS:

Not a solution for programmers who need to use debug

Rename WScript.exe

This next technique is similar to the previous section, involving a file named

WScript.exe.

Virus writers have started to take advantage of VisualBasic Script, which requires the

installation of something called the Windows Scripting Host. If your operating system is

Windows 95 or WindowsNT, in order to have Windows Scripting Host installed, you must

install it as an adjunct. But since Windows 98, the Windows Scripting Host comes installed

by default. So, similar to renaming debug.exe, you can rename or remove WScript.exe.

PRO:

Users not affected by viruses that use VB Script to invoke payloads or to spread

CON:

Some people actually do want VB Script

Excel Macro Viruses

Check the XLSTART Directory

Excel has a startup directory similar to that of Word. Any template file found in this

directory is automatically loaded into Excel on startup. This directory is the XLSTART

subdirectory under where Excel exists. This behavior being exactly the same as Word, meaning

we can use similar code as was discussed in the Check the Startup Directory section above.

dir /b /a \msoffice\Excel\XLStart > %TEMP%\xlstart.lst

Add the following to autoexec.bat:

dir /b /a \msoffice\Excel\XLStart > %TEMP%\xlstart.chk
diff %TEMP%\xlstart.lst %TEMP%\xlstart.chk > NUL
if errorlevel 1 goto diff_xlstart
[continue]
goto end
:diff_xlstart
echo Excel startup directory changed^G
pause
:end
endbat

PROS:

Informs of any change
Ensures clean boot up each day
Generally transparent

CONS:

No warning until next boot up

19

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

Create a Personal.xls File

This technique is equivalent to creating a Payload macro to address Word macro

viruses. Laroux.A checks for the existence of a file by the name of personal.xls in Excel's

XLSTART directory. If one exists, it does not infect. Thus, if we put a file by that name in that

directory, we will be immunized from Laroux.A. As with Concept.A, Laroux.A is the most

widespread of all Excel macro viruses.

To create such a file, simply take an empty Excel file and place it in the XLSTART

subdirectory under where Excel is located.

As in the case of Word, many other viruses have since appeared, and other variants of

Laroux now exist that would not be affected by this approach.

PROS:

Works against Laroux.A

CONS:

Ineffective against any other virus

Excel Macro Virus Protection

Like Word97, Excel97 also has the Macro virus protection option as a check box

available under Tools/Options…/General (see also the section entitled "Word 7.0a and

Word97"). This check box enables the user to be alerted if any macros exist in the spreadsheet

about to be opened. If such a spreadsheet is encountered, the user is given the choice of

stopping, disregarding the warning, or continuing with the macros disabled.

However, Excel users often use more macros than Word users. Therefore, Excel users are

more likely to get the alert involving useful macros than their counterparts who use Word.

Thus, though users should be encouraged to use this option, system administrators would

likely find rebellious users if they tried to enforce this technique.

PRO:

Generally effective. If there's a macro in the spreadsheet, it tells you so.

CON:

Many Excel spreadsheets have useful macros, so many false alarms

PowerPoint Macro Viruses

It took about two years after the introduction of PowerPoint97 for the first PowerPoint

virus to appear. Because PowerPoint is much less widely used than Word or Excel, and

because PowerPoint97 shares the same macro programming language as its Office97

brethren, the first PowerPoint97 viruses happen to be cross-infectors which can also infect

Word or Excel.

PowerPoint only started to support macros in the version distributed as PowerPoint97.

PowerPoint only started to

support macros in the version

distributed as PowerPoint97.

N E T W O R K A S S O C I A T E S

20

Versions prior did not support macros, thus were not capable of having viruses. However,

later versions, as with PowerPoint 2000, will also support macros and are therefore equally

susceptible to viruses as the PowerPoint97 version.

Blank Presentation.pot

As with Word, PowerPoint has a default template mechanism similar to normal.dot. For

PowerPoint97, this file is called Blank Presentation.pot and can be found in the

…\Office\Templates directory (\Program Files\Microsoft Office\Templates typically). As it is a

singular file, the techniques described in points entitles " ReadOnly Normal.dot," "Replace

Normal.dot Every Time," and "Check For Changes to Normal.dot" are all equally applicable to

PowerPoint. All the PROS and CONS stated for those sections apply as well.

PowerPoint Macro Virus Protection

As with Word and Excel in Office97, PowerPoint97 also has the Macro virus protection

option as a check box available under Tools/Options…/General. (The option is not available

for Access, the last of the four components of Office97.)

The technique works the same. Thus all the PROS and CONS for points entitled "Word

7.0 and Word97" and "Excel Macro Virus Protection" apply to PowerPoint97 as well. The only

difference is that most users, while doing elaborate presentations, do not make use of macros

to accomplish those feats.

Office 2000 Viruses

Office2000 perpetuates many of the anti-virus issues already discussed in previous

Microsoft Office versions in this paper. However, a few specific issues arise in the Office2000

environment in particular. Additional tips for securing against viruses for those situations are

offered below.

Access 2000

Access 2000 will finally support Macro virus protection under Tools/Options…/General,

like the other Office products. See also points entitled "Word 7.0 and Word97," "Excel Macro

Virus Protection" and "PowerPoint Macro Virus Protection."

Word 2000

Word 2000 will check the registry for settings to decide whether it will allow macros to

execute or to always open a document with macros disabled. It will check in two locations.

One of the registry locations will be under the HKEY_LOCAL_MACHINE tree, which will

require someone with admin rights in order to change it. Thus, if it is set, and users are not

granted admin rights, users can be forced to do without macros.

21

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

Script Viruses

As introduced in the point entitled "Rename WScript.exe", the Visual Basic Script

language can be used by macro viruses. There are other methods than renaming WScript.exe

that can make your system less vulnerable to an automatic, or silent, infection.

Suppress the default association of .VBS

Normally, the .VBS extension is associated to WScript.exe. With this association, a

"double-click" on such a file will execute the script. So, instead of allowing a double click to

automatically run the script, you might change it to bring it up in an editor. Of course, you

would want to leave at least one association to run the script, after you've read it. If you

choose this technique, follow along with the instructions from the section entitled "Word

Viewer" and change it as below, from:

HKEY_CLASSES_ROOT
.vbs

VBScript file

VBScript file

shell

open

command

C:\Program Files\Windows NT\WScript.exe "%1"

To:

C:\Program Files\Windows NT\Notepad.exe "%1"

If REGEDIT scares you, you can make these changes by using WINDOWS EXPLORER:

View
Options...
Choose the "File types" folder.
In the Registered file types window, choose VBScript file, then Edit...
An edit file type window is displayed.
In the actions window, choose open.
An editing action for type window is displayed.
In the Application used to perform action, change the old command to the new one.

PRO:

Double clicking a file will not automatically execute .VBS files

CON:

Double clicking a file will not automatically execute .VBS files

…the Visual Basic Script

language can be used by macro

viruses.

N E T W O R K A S S O C I A T E S

22

Additional Tips

Handling Suspect Documents

For the network administrator who must handle a corporation's suspect documents,

here are some additional suggestions.

First be sure to use all the techniques in the sections above. If a file is suspect, create a

clean environment by using the process outlined in the "DisableAutoMacros" section (one of

the "Methods Provided in Microsoft Word"). Examine the file using

File/Templates/Organizer, before opening any other files. If the suspect file does not have a

ToolsMacro entry, use it to rename the macros to shortened names before examining the

macros. If it does, create your own ListMacros menu option and use it instead of

ToolsMacro.

Cleaning Infected Documents

There is also the rare occasion that a network administrator may need to clean an

infected document immediately so the document can be used without delay. As anti-virus

vendors, we recommend strongly against this activity. Please use this technique with utmost

care, and only if there is no time to employ the assistance of experienced virus researchers.

This is best done on a stand-alone machine. But if that can't be accomplished, be very careful.

After verifying that the virus does not have an EditCopy or EditCut macro, and there

are no templates in the startup directory nor normal.dot, open the file while holding the shift

key. (Or for the adventurous, place noauto.dot into the startup directory.)

Select entire Document
Edit/Copy to Clipboard
File/Exit from Word
Delete normal.dot (or rename it) and remove all files from the startup directory
Restart Word
File/New a new empty document
Edit/Paste from Clipboard
File/SaveAs as a new document. In so doing, be sure that the file is not automatically being
saved as a template. If so, the environment is infected. And assuming all the above was
handled properly, pick up the phone and call your virus security vendor.

23

F R E E A N T I - V I R U S T I P S & T E C H N I Q U E S

Author's Conclusions

Obviously, the most simple, effective, and reliable method of protecting against viruses

is the use of proven anti-virus products. Because the purpose of this paper is to examine free

techniques, however, I would like to conclude by noting which of the free methods I use

personally.

To begin with, I set my normal.dot file to read-only. In addition, I use “Prompt to Save

Normal Template.” As detailed earlier, the two do not conflict and thus it's possible to use

both. Both are meant to warn you by the end of the day if your environment was infected

during the day.

But, why use both? Isn't one enough?

The first answer is that it doesn't hurt, so why not? The second answer is that some

viruses try to undo one or the other. So, using both techniques means a virus has to attack

both simultaneously to circumvent the protection. And if nothing is happening, both are

transparent, so they will not disturb your everyday work.

I also use the “DisableAutoMacros template” as distributed in the separate file

noauto.dot. Most viruses make use of an auto macro of one sort or another to spread. And all

the viruses in the wild do. With this macro in place, viruses will not automatically activate

and the chance of spreading something, even if you come in contact with it, is much smaller.

Furthermore, as described in its section, an MIS director can create this file and send it to the

whole company to be placed in the appropriate location. Thus this can have corporate wide

impact with little effort.

Lastly, throughout all the Office97 products, each is programmed to alert if any macros

exist in an incoming document, be that Word, Excel, or PowerPoint. The products in their

default mode have the macro alert on. Don't turn it off until you hit your first false alarm.

And even then, judge how much trouble the false alarm caused. If you feel that it was not a

problem, leave the setting on. The alert is not perfect (the problem scenarios have been

documented in Vesselin Bontchev's paper for the 1996 Virus Bulletin Conference). But until

you experience a false alarm, it will not have caused you any issues.

Obviously, the most simple,

effective, and reliable method of

protecting against viruses is the

use of proven anti-virus products.

N E T W O R K A S S O C I A T E S

24

Acknowledgments

Vesselin Bontchev, Anti-Virus Research, FRISK Software Intl.

Stefan Geisenheiner, Anti-Virus Research, Amsterdam, NL, Network Associates, Inc.

Raymond M. Glath, Sr., President, RG Software Systems

Jivko Koltchev, Anti-Virus Research, Santa Clara, CA, Network Associates, Inc.

Akihiko Muranaka, Tokyo, Japan, Network Associates, Inc.

Francois Paget, Anti-Virus Research, Paris, France, Network Associates, Inc.

Translations available in German, French, Spanish and Portuguese

McAfee, Total Virus Defense and Network Associates are registered trademarks of Network Associates, Inc. and/or its affiliates in the U.S. and/or other countries. All other registered and unregistered
trademarks in this document are the sole property of their respective owners. ©1999 Networks Associates Technology, Inc. All rights reserved.

6-TVD-FAV-001 9/99

For more information on products, services, and support,
contact your authorized Network Associates sales representative.

C O R P O R A T E H E A D Q U A R T E R S

3965 Freedom Circle
Santa Clara, CA 95054-1203
Tel

(408) 988-3832*

Fax (408) 970-9727

*Call for additional Worldwide Sales Offices